In brief

Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.

Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.

Individuals have the right to request you restrict the processing of their personal data in the following circumstances:

the individual contests the accuracy of their personal data and you are verifying the accuracy of the data;

the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;

you no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or

the individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.

Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing:

if an individual has challenged the accuracy of their data and asked for you to rectify it (Article 16), they also have a right to request you restrict processing while you consider their rectification request; or

if an individual exercises their right to object under Article 21(1), they also have a right to request you restrict processing while you consider their objection request.

Therefore, as a matter of good practice you should automatically restrict the processing whilst you are considering its accuracy or the legitimate grounds for processing the personal data in question.

You need to have processes in place that enable you to restrict personal data if required. It is important to note that the definition of processing includes a broad range of operations including collection, structuring, dissemination and erasure of data. Therefore, you should use methods of restriction that are appropriate for the type of processing you are carrying out.

The GDPR suggests a number of different methods that could be used to restrict data, such as:

temporarily moving the data to another processing system;

making the data unavailable to users; or

temporarily removing published data from a website.

It is particularly important that you consider how you store personal data that you no longer need to process but the individual has requested you restrict (effectively requesting that you do not erase the data).

If you are using an automated filing system, you need to use technical measures to ensure that any further processing cannot take place and that the data cannot be changed whilst the restriction is in place. You should also note on your system that the processing of this data has been restricted.

Yes. If you have disclosed the personal data in question to others, you must contact each recipient and inform them of the restriction of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individual about these recipients.

The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

In many cases the restriction of processing is only temporary, specifically when the restriction is on the grounds that:

the individual has disputed the accuracy of the personal data and you are investigating this; or

the individual has objected to you processing their data on the basis that it is necessary for the performance of a task carried out in the public interest or the purposes of your legitimate interests, and you are considering whether your legitimate grounds override those of the individual.

Once you have made a decision on the accuracy of the data, or whether your legitimate grounds override those of the individual, you may decide to lift the restriction.

If you do this, you must inform the individual before you lift the restriction.

As noted above, these two conditions are linked to the right to rectification (Article 16) and the right to object (Article 21). This means that if you are informing the individual that you are lifting the restriction (on the grounds that you are satisfied that the data is accurate, or that your legitimate grounds override theirs) you should also inform them of the reasons for your refusal to act upon their rights under Articles 16 or 21. You will also need to inform them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek a judicial remedy.

You can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

If you consider that a request is manifestly unfounded or excessive you can:

request a “reasonable fee” to deal with the request; or

refuse to deal with the request.

In either case you will need to justify your decision.

You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.

In more detail – Data Protection Act 2018

There are other exemptions from the right to restriction contained in the Data Protection Act 2018. These exemptions will apply in certain circumstances, broadly associated with why you are processing the data. We will provide further guidance on the application of these exemptions in due course.

The GDPR does not specify how to make a valid request. Therefore, an individual can make a request for restriction verbally or in writing. It can also be made to any part of your organisation and does not have to be to a specific person or contact point.

A request does not have to include the phrase ‘request for restriction’ or Article 18 of the GDPR, as long as one of the conditions listed above apply.

This presents a challenge as any of your employees could receive a valid verbal request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.

Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.

You must act upon the request without undue delay and at the latest within one month of receipt.

You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.

Example

An organisation receives a request on 3 September. The time limit will start from the next day (4 September). This gives the organisation until 4 October to comply with the request.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.

If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond.

This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.

Example

An organisation receives a request on 30 March. The time limit starts from the next day (31 March). As there is no equivalent date in April, the organisation has until 30 April to comply with the request.

If 30 April falls on a weekend, or is a public holiday, the organisation has until the end of the next working day to comply.

For practical purposes, if a consistent number of days is required (eg for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.

You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.

However, it is the ICO’s view that it is unlikely to be reasonable to extend the time limit if:

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.

You must let the individual know without undue delay and within one month that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.

Cookie Consent Settings

About Cookies

Why we use cookies?

To make this site work properly, sometimes we place small data files called cookies on your device. This is a common practice for websites.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

There are 4 types of cookies that we use: Strictly Necessary, Performance, Functional and Advertising.

Please remember that if you delete your cookies, or use a different browser or device you will need to reset your cookie consent settings.

Strictly Necessary Cookies Always Active

These cookies are essential to use this website and its features, such as accessing secure areas of the website or using a shopping basket. They are not used for tracking or advertising purposes. We do not share this data. We use the strictly necessary cookies listed below:

Performance Cookies Active

These cookies collect information about how you use a website, such as which pages you visit most often or if you see error messages. These cookies do not collect information that identifies you. Information collected is aggregated and anonymized to improve how this website works. We use the performance cookies listed below:

Functional Cookies Active

These cookies allow this website to remember choices you make, such as your user name, language or your geographical region and provide personalized features. Also, they are used to remember your progress in important features of the website, such as your progress in a video so you can return to the same spot, and features such as changes you made to text size, fonts and other customizations. We use the functitonal cookies listed below:

Targeting Cookies Inactive

These cookies are used to deliver advertisments more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaigns. They remember that you have visited a website and this information is shared with other organisations such as advertisers. We use the advertising cookies listed below: